[gentoo-commits] proj/apache:master commit in: 2.4/conf/modules.d/, 2.2/conf/vhosts.d/, 2.4/conf/vhosts.d/, 2.2/conf/modules.d/

Lars Wendler Sun, 20 Apr 2014 09:46:32 -0700

commit:     9154fa2d2a6b8f0b59c5b1d83c8186a4249d7f8f
Author:     Lars Wendler <polynomial-c <AT> gentoo <DOT> org>
AuthorDate: Sun Apr 20 16:44:54 2014 +0000
Commit:     Lars Wendler <polynomial-c <AT> gentoo <DOT> org>
CommitDate: Sun Apr 20 16:44:54 2014 +0000
URL:        
http://git.overlays.gentoo.org/gitweb/?p=proj/apache.git;a=commit;h=9154fa2d


Disabled SSLCompression by default (bug #507324). Replaced old weak with strong 
ciphers (bug #506924).

---
 2.2/conf/modules.d/40_mod_ssl.conf          |  4 ++++
 2.2/conf/vhosts.d/00_default_ssl_vhost.conf | 14 +++++++++++++-
 2.4/conf/modules.d/40_mod_ssl.conf          |  4 ++++
 2.4/conf/vhosts.d/00_default_ssl_vhost.conf | 14 +++++++++++++-
 4 files changed, 34 insertions(+), 2 deletions(-)

diff --git a/2.2/conf/modules.d/40_mod_ssl.conf 
b/2.2/conf/modules.d/40_mod_ssl.conf
index 3d0a043..486cb43 100644
--- a/2.2/conf/modules.d/40_mod_ssl.conf
+++ b/2.2/conf/modules.d/40_mod_ssl.conf
@@ -60,4 +60,8 @@ SSLSessionCacheTimeout  300
 SSLMutex  file:/var/run/ssl_mutex
 </IfDefine>
 
+## SSL Compression:
+# Known to be vulnerable thus disabled by default (bug #507324).
+SSLCompression off
+
 # vim: ts=4 filetype=apache

diff --git a/2.2/conf/vhosts.d/00_default_ssl_vhost.conf 
b/2.2/conf/vhosts.d/00_default_ssl_vhost.conf
index 98bfc2f..bb39547 100644
--- a/2.2/conf/vhosts.d/00_default_ssl_vhost.conf
+++ b/2.2/conf/vhosts.d/00_default_ssl_vhost.conf
@@ -21,10 +21,22 @@ Listen 443
        # Enable/Disable SSL for this virtual host.
        SSLEngine on
 
+       ## SSLProtocol:
+       # Don't use SSLv2 anymore as it's considered to be broken security-wise.
+       # Also disable SSLv3 as most modern browsers are capable of TLS.
+       SSLProtocol ALL -SSLv2 -SSLv3
+
        ## SSL Cipher Suite:
        # List the ciphers that the client is permitted to negotiate.
        # See the mod_ssl documentation for a complete list.
-       SSLCipherSuite 
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
+       # This list of ciphers is recommended by mozilla and was stripped off
+       # its RC4 ciphers. (bug #506924)
+       SSLCipherSuite 
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!RC4:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK
+
+       ## SSLHonorCipherOrder:
+       # Prefer the server's cipher preference order as the client may have a
+       # weak default order.
+       SSLHonorCipherOrder On
 
        ## Server Certificate:
        # Point SSLCertificateFile at a PEM encoded certificate. If the 
certificate

diff --git a/2.4/conf/modules.d/40_mod_ssl.conf 
b/2.4/conf/modules.d/40_mod_ssl.conf
index 07c7514..803572a 100644
--- a/2.4/conf/modules.d/40_mod_ssl.conf
+++ b/2.4/conf/modules.d/40_mod_ssl.conf
@@ -60,4 +60,8 @@ SSLSessionCacheTimeout  300
 Mutex file:/run/apache_ssl_mutex ssl-cache
 </IfDefine>
 
+## SSL Compression:
+# Known to be vulnerable thus disabled by default (bug #507324).
+SSLCompression off
+
 # vim: ts=4 filetype=apache

diff --git a/2.4/conf/vhosts.d/00_default_ssl_vhost.conf 
b/2.4/conf/vhosts.d/00_default_ssl_vhost.conf
index 98bfc2f..bb39547 100644
--- a/2.4/conf/vhosts.d/00_default_ssl_vhost.conf
+++ b/2.4/conf/vhosts.d/00_default_ssl_vhost.conf
@@ -21,10 +21,22 @@ Listen 443
        # Enable/Disable SSL for this virtual host.
        SSLEngine on
 
+       ## SSLProtocol:
+       # Don't use SSLv2 anymore as it's considered to be broken security-wise.
+       # Also disable SSLv3 as most modern browsers are capable of TLS.
+       SSLProtocol ALL -SSLv2 -SSLv3
+
        ## SSL Cipher Suite:
        # List the ciphers that the client is permitted to negotiate.
        # See the mod_ssl documentation for a complete list.
-       SSLCipherSuite 
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
+       # This list of ciphers is recommended by mozilla and was stripped off
+       # its RC4 ciphers. (bug #506924)
+       SSLCipherSuite 
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!RC4:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK
+
+       ## SSLHonorCipherOrder:
+       # Prefer the server's cipher preference order as the client may have a
+       # weak default order.
+       SSLHonorCipherOrder On
 
        ## Server Certificate:
        # Point SSLCertificateFile at a PEM encoded certificate. If the 
certificate

[gentoo-commits] proj/apache:master commit in: 2.4/conf/modules.d/, 2.2/conf/vhosts.d/, 2.4/conf/vhosts.d/, 2.2/conf/modules.d/

Reply via email to